Serious security issues found in all WD cloud products

I have today stumbled upon this article:

It seems that severe security vulnerabilities have been found in all my cloud devices, firmware 2.21.126, which is the latest one as far as I know, allowing attacker to gain root privileges and full control over system.

Is the fix being worked on, any ETA? And should we disconnect our devices from the WAN for time being?

Found additional source for security issues in the firmware:

Advice if this was fixed / when it will be fixed would be appreciated.

Perhaps you should check THIS community for additional info – this was being discussed in various message threads in depth. There is even an announcement by WD in Announcements forum section; imagine that. Look before you leap.

Well, pardon me for asking. Moreover, link shows that post-December update file still have security issues. Now I am no coder, but it looks like attacker can still gain root based on forged cookie and some PHP injection.
I would actually appreciate if you could check and confirm or deny this if you are more skilled in this department…

I am a user like you, so I have no idea about your question so search forums for current discussion about the security issue.

So you do not know anything, yet you came to bash me for asking. I like that attitude of yours…
Moreover, this is being discussed in MyCloud section, which is kind of confusing, as this actually applies to all WD network attached products. Think of it as spreading the knowledge to other WD users that are not aware yet.

Look, you came into this forum and asked your question totally without looking around (being lazy) and you want to get briefed? Did you ask people in school to do your homework, too? Yes, it is all over this board as you say, and that’s my point. Yes, it is fully being discussed in the My Cloud forum, because that is where it began over a year ago. Do you not know how to click on the Announcements forum and the Latest posts listings, or New?

Oh man, wow. Okay, I have to give you credit for the link to My Cloud firmware discussion. Really appreciated. For the rest - take your pills, calm down.
You want to help? Great! You don’t want to? Your choice. You want to give lectures to people? Become a teacher.
This is becoming heavily of topic. Give me your last rant and let’s close it.

Last rant: too many people come into the forums (most all forums) without doing their “homework” and have “an attitude”, often with a chip on their shoulder, and this “gets old”.

For a recent example: quite a few people in the Amazon Echo forum (many first time posters) were ranting this morning that their Echo devices did not update the time change overnight and started blaming Amazon and their device, when it was THEY wo did not have their time zone settings and country correct in the device settings. Like I said, this behavior gets old.
End of rant --Thanks :slight_smile:

Let’s go talk about WD in the vulnerability thread. As I pointed out in there, hardly anyone has posted about an attack of their MC device, Why the sudden panic now that we all know of the problem? It doesn’t mean a bomb will now drop on our devices just because we now know. So I am keeping mine running as usual, since all media data on it is saved elsewhere.

Point taken.
Now for the rest - the real concern here are not the script kiddies that go rm -rf / happy and wipe your device.
What is the far greater problem that hijacker installs backdoor and control daemon.
Congrats - your device is now part of the botnet. Normal user will most likely never find out. Meanwhile, your device is happily carrying out DDoS attack, attempting to infect devices in your local network with ransomware and other malicious software. Maybe some bitcoin mining here and there. Moreover it is consuming the resources you are paying for - power and network bandwith.
Imho any software dev that leaves security hole this big open for 8 friggin month and counting should be held liable for damages direct or indirect that resulted from his neglience.

Point taken! Although, don’t you think my Norton Security and Windows malware scans would find these malicious things? Otherwise, what good are they?

As good as their virus definitions are. Malicious software tends to be one step ahead of protection one, despite the heuristic and other algorithms employed to identify new threats.
Nevertheless, let’s say you have updated system, updated antivirus. Does that apply for all of the people connecting to your home WiFi? Is your smart TV updated, all security loopholes plugged? When did you last updated firmware of you router? Is the firewall set up properly? What about your smartphones and tablets? Do they still receive updates from it’s vendor?
Yes, it’s a bit paranoid. But all these devices have been already infected before, UBNT WiFi ap’s being a prime example where this may lead. There is enough unknown security loopholes around, I see no reason making hackers work more easy by not fixing known ones.